There is no doubt that POA&Ms can be confusing. What they are, when you create an action item, how you manage your POA&Ms, how they relate to other aspects of your cyber security program, and of course, how to specifically manage POA&Ms for CMMC compliance are all leaving members of the DIB scratching their heads. This brief gives high level answers to all those questions.
POA&M stands for Plan of Action and Milestones. Effectively, a single POA&M represents the steps an organization needed to take to close the gap on a particular cybersecurity control that does not currently meet a specific requirement or objective related to a security framework, in this case we will be discussing CMMC specifically.
POA&Ms in general should be created every time a vulnerability in your current cybersecurity program is identified. For example, you identify during a self-assessment that patching is not taking place, it should be recorded along with plans for remediation, when the remediation will take place, who is responsible and how to verify that the work is done.
Accordingly, POA&Ms should be viewed as a living, breathing document with realistic, dynamic changes taking place on a regular basis rather than being viewed as a static checklist of things to do once and be done. Our advisory team has noticed that a number of clients initially view POA&Ms as the latter but your networks and work habits are all dynamic so your cybersecurity vulnerabilities will change along with those infrastructure and organizational changes. POA&Ms should also be created whenever an organization plans updates to their infrastructure. For example, if you are updating your email system, you should create related POA&Ms for any vulnerabilities that are discovered during your risk assessment of the update for the new technological investment, but also for all the related policies and procedures that will be effected.
A CMMC POA&M is written documentation describing the proactive steps an organization plans to take to close the gap between current cybersecurity practices relative to a specific CMMC control and the level of security needed to meet the control requirements.
Effectively, you need to document your plan regarding the actions you'll take to address any security vulnerabilities identified during an analysis of your readiness for a CMMC assessment. Overall, your POA&Ms for all of your CMMC requirements should detail:
In discussing POA&Ms with the Coalfire Federal CMMC advisory team, several interesting observations were made regarding what they are seeing:
“One client has a great practice where they sort of make a game out of it – they keep asking ‘why’ until they get to the root of the problem and when they get to the why, that is what goes into the POA&M.”
“Clients that manage POA&Ms well know that they need to do a risk assessment and include change management strategies as part of their POA&Ms rather than just writing down the problem.”
“POA&Ms can’t be a stand-alone thing – they should be incorporated into exercises that involve regular reviews.”
“Treating POA&Ms as a place that incidents and problems go to die is not only ineffective but dangerous.”
All of these are excellent points that have shaped the way our team approaches the subject of POA&Ms with our clients. We are constantly informing our practices with lessons learned from each engagement.
At the start of your gap analysis against CMMC requirements, you should identify a process and tools for keeping track of any unmet requirements and think strategically about how to close the gaps in a timely fashion. As we have noted in previous posts, it is a great idea to designate an individual in your organization that will become the point person for CMMC preparations. This person should know something about cybersecurity, a bit about project management and have enough authority in the organization to ensure that when a requirement is assigned to an individual in the organization that it is taken seriously. We also highly recommend that your designated CMMC point person be a full-time employee of your organization and that they go through the CMMC CCP training if at all possible. It just sets the tone for understanding what assessors will be looking for during the certification process.
Another key component is a tool or set of tools that allows your organization to manage and track preparations for a CMMC assessment. There are a number of excellent governance risk and compliance (GRC) tools available that can help your organization manage all the artifacts required for demonstrating compliance with controls as well as help you document which artifacts apply to a control and how, and otherwise support inclusion of preparatory notes. Having built in trackers for managing POA&Ms is also a great feature to look for when selecting a GRC tool.
Effectively, during your gap analysis, you need to identify your FCI and CUI boundaries and then consider whether and how each control requirement is met. For any unmet controls, the following steps should be taken.
Conduct a thorough CMMC gap analysis to pinpoint areas where your organization falls short of CMMC requirements.
For unmet controls, ask why until you get to actionable items. Those actionable items should be your POA&Ms.
Craft specific actions to address each unmet control. Assign an appropriate individual within your organization to manage the POA&M.
Set realistic deadlines for completing each mitigation strategy within your POA&M.
Continuously track progress towards completing your POA&M actions. Update the document as needed to reflect completed tasks.
The proposed CMMC 2.0 rule introduces changes to POA&Ms. One difference between CMMC 1.0 and CMMC 2.0 is that selected security requirements are eligible for having a Plan of Action and Milestones (POA&M) that must be closed within 180 days of assessment. While this was expected to be part of the proposed ruling, we got specific guidance in section 170.21 related to what controls are eligible for POA&M during an assessment (and implicitly, a clear understanding of what controls are not eligible for POA&M):
“An OSA is only permitted to have a POA&M for CMMC Level 2 if all the following conditions are met:
The intricacies of CMMC can be complex. Our team of experienced CMMC professionals possesses the experience and knowledge to help you identify and address vulnerabilities and achieve CMMC certification with confidence. For expert guidance and a smoother compliance journey, contact us and learn more about Coalfire Federal's CMMC advisory services.
